BringYourOwnIT.comhttp://bringyourownit.com
Information Security, Mobile Security and the Internet of ThingsMon, 15 Jan 2018 20:35:28 +0000enhourly1http://wordpress.com/http://1.gravatar.com/blavatar/7fdaa252c0f5821fd8d041e48cf26300?s=96&d=http%3A%2F%2Fs2.wp.com%2Fi%2Fbuttonw-com.pngBringYourOwnIT.comhttp://bringyourownit.com
When IoT Attacks – The End of the World as We Know It?http://bringyourownit.com/2017/10/20/when-iot-attacks-the-end-of-the-world-as-we-know-it/
http://bringyourownit.com/2017/10/20/when-iot-attacks-the-end-of-the-world-as-we-know-it/#respondFri, 20 Oct 2017 20:15:37 +0000http://bringyourownit.com/?p=1901

A cursory look at OWASP’s IoT Security Guidance will highlight just how many elements in the IoT ecosystem could be exploited. Among others, these include the web interface, network, transport encryption layer, mobile app and device firmware. The latter is a key area of focus for the prpl Foundation, a non-profit which is trying to coral the industry into taking a new hardware-based approach to IoT security. Cesare Garlati, chief security strategist, claims that hackers could exploit IoT chip firmware to re-flash the image, allowing them to reboot and execute arbitrary code. “The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent; it can’t be undone via a system reboot, for example”, he tells Infosecurity. The answer is to ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. “It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the ‘Root of Trust’ into the hardware to make it tamper proof ”, says Garlati.

Worst Case Scenario

The prpl Foundation also points out that proprietary code is less secure than open source, that connectivity is often poorly engineered and that too many systems allow lateral movement at a chip level, ignoring the best practice rule of ‘security by separation’. The best way to mitigate the latter issue is via chip-layer virtualization, Garlati explains. The question is, beyond data theft and DDoS-related outages, what harm could deficient IoT security genuinely do to society? Pioneering work by Miller and Valasek into connected car security first showed us back in 2015 how a vehicle could be remotely hacked and consequently steering and brakes manipulated, potentially to catastrophic effect. Then Kremlin-linked attacks on Ukrainian power stations in December 2015 and again in 2016 highlighted how – in one instance – IoT firmware could be successfully hacked and reflashed to disrupt energy supplies for hundreds of thousands. “The pressure brought by consumer groups, lawyers and governments will force IoT makers to produce more secure kit” “From isolated incidents to widespread chaos that could be possible with the manipulation of the electrical grid, the potential for damage is huge. It’s almost limitless” As the IoT works its way into ever more critical computing systems, the potential for devastating attacks multiplies, according to Sean Joyce, US cybersecurity & privacy leader at PwC. “Even the US military is concerned about IoT risks,” he explains. “A recent Government Accountability Office report outlined several national threat scenarios in which IoT security risks might harm Defense Department operations, equipment or personnel. These examples include the potential sabotage of a mission or equipment, operations security and intelligence collection and the endangerment of leadership.” Attacks might be easier to launch than many IoT-manufacturers think. Munro claims that simply by hacking and remotely controlling home smart thermostats en masse, an attacker could take down the entire power grid.

What Can We Do?

Given the huge security challenges associated with current IoT systems, the market has clearly failed, despite 90% of consumers now believing security should be built into devices, according to Irdeto. However, governments are responding. In the US, senators have introduced the Internet of Things Cybersecurity Improvement Act, designed to improve baseline security in the market by tightening the requirements for government suppliers. In the UK, the government recently published guidelines for connected car manufacturers, in a bid to improve standards. However, Munro thinks the rightapproach should combine regulation and litigation. “Regulations take a long time,” he says.“It’s fantastic to see, but in the meantime we need to see more litigation [of the kind faced recently by] Bose and WeVibe. The pressure brought by consumer groups, lawyers and governments will force IoT makers to produce more secure kit.” Until then, it’ll be down to CISOs to mitigate IoT security risk inside the enterprise. Yet according to PwC’s latest research, only 35% of organizations plan to assess device and system interconnectivity and vulnerabilities across the business ecosystem. This needs to change. IT also needs to strictly monitor IoT device usage, enable security protection on all devices, segment devices onto non-critical networks, encrypt all IoT comms and educate staff about the dangers, says Context’s Higginson “From isolated incidents to widespread chaos that could be possible with the manipulation of the electrical grid, the potential for damage is huge,” warns prpl Foundation’s Garlati. “It’s almost limitless.

In the optimal situation, there is no way that anyone should be able to access, much less hijack, the critical functions of an IoT device such as a drone. While the power for destruction from just one drone may seem paltry, directing these drones in large numbers at a target is a very real, and dangerous, possibility – as confirmed by this news.

The time to act is now to take control of security in IoT devices at the most basic level: the hardware.

Manufacturers need to move away from the attitude that “it works, let’s try to secure it and get it to market” to “if it’s not secure, it doesn’t work”. Unless the industry adopts this attitude, the security problems of IoT will continue to proliferate at an alarming rate and unfortunately, lives could quite literally be at stake.

Last week I had the pleasure of attending Embedded World 2017 in Germany as I was invited to give a couple of presentations on the pioneering work we have been doing at the prpl Foundation with regards to the prplHypervisor and prplPUF APIs for securing IoT. As it turns out, IoT was the top line at the conference that drew in more than 30,000 trade visitors – and the event solidified the notion that embedded computing is now synonymous with IoT.

IoT Security: Pushing the boundaries of resource constrained devices

The main theme running throughout was the challenge of pushing resource constrained devices to the limits. From a tech provider’s perspective, this was the most pervasive, well-defined issue being tackled at the show – how do we push the capabilities when it comes to functionality and security in low power devices with limited memory and minimal CPU resources? With IoT, applying security technology after the fact or using encryption as used in a traditional security model is simply not an option in devices that don’t have the battery power, memory or CPU to support such measures, much less being able to afford the expense when the device itself costs so little. Yet, the fact that these are physical devices makes them so much more dangerous to human life and therefore the security should be taken just as seriously as that of a data centre.

Open Source as (one) answer

The answer for much of these basic security questions meant that more and more vendors are adopting – or seriously considering – the use of open source software. Though not everyone was aligned with the true value of open source, some even felt opportunistic, it was encouraging that the message of using open source, with all the extra eyes on it, is getting through. Having said that, and knowing that open source software is notoriously more resilient than proprietary, closed source software – it does have its issues that vendors and manufacturers need to be aware of. Namely, though it is open and freely available, open source is not free. Yes, there is no licensing fee, but that is not to say it doesn’t come with the expenses of developing expertise, ensuring the organisation using it has the right liability cover, maintenance and working with open source communities to get the best out of it. As with anything in life, using open source requires upkeep to get the most from it.

In silicon we trust

Using open source protocols to get the basics right in IoT means that embedded devices can truly be interoperable with each other. What stops this from being a security risk is trust. The other element I discussed and which received over an hour of questions from the audience was the prplPUF API, the Physical Unclonable Funtions implementation of the prplSecurityframework. I think everyone can agree that we’ve established that embedding secrets in a device is just not a good idea – and if you need proof, look no further than the Vault 7 revelations; not even the CIA can hide such secrets. Instead, what if you could extract a unique identifier from the silicon itself, something that is exclusive and repeatable and unable to be cloned? This could have all sorts of applications for improving and strengthening security in embedded devices and the real genius of it is that it’s something that already exists with in the hardware itself – much like a digital fingerprint. By using the prpl platform which combines open source with the use of a light-weight hypervisor for security by separation and PUF to establish trust in embedded systems, we’re looking at a much safer future for IoT.

Drones wide open to hijack threats

Don’t let that flying drone out of your sight: you never know where it might turn up next.

Last year, customers of Amazon in Cambridge began signing up for a novel delivery option. A 25kg drone, which is able to fly up to 10 miles gripping a book-sized package underneath, took just 13 minutes to fly from the warehouse nearby, landing briefly to drop the order on a delivery mat marked with the distributor’s single-letter logo in the customer’s rear garden.

Amazon plans to slowly roll out the service if the limited trial proves successful, aware that regulatory restrictions over flying robot couriers could prove to be a major obstacle. Aviation authorities are concerned about the safety aspects of unattended, battery-powered robot aircraft routinely zipping around the skies. In the UK, drones cannot fly legally out of sight of their operator or close to buildings without a special licence, but drone delivery may have another problem. The package may never reach its intended destination, with the drone itself becoming part of a criminal or even a terrorist network.

In the McAfee Labs 2017 Threats Prediction report published at the end of 2016, Intel cyber-security and privacy director Bruce Snell predicted drone hijacking will become a practical reality in the coming months. He argues that 2017 will see the availability of hacking toolkits: prepackaged software and code to make hijacking easy. As a result, he speculates that 2017 is the year that we will start to see stories of commercial drones being taken out of the sky not by shotguns or birds of prey but by software.

Snell sees a key risk emerging for delivery companies if drone-transported stock is stolen. Criminals may simply steal expensive camera equipment from drones used to capture video and take high-quality photos of the Earth underneath.

But this isn’t the most important problem, according to Cesare Garlati, chief security strategist for the pprl Foundation, which develops open-source embedded software. He believes the real threat from dronejacking comes from the scale at which drones could conceivably be hijacked – and the possibilities for terrorism.

Garlati cites the Mirai botnet, the malware that last year managed to take down large swathes of the internet by targeting the major services like Twitter and Netflix. It quickly emerged that the huge distributed denial of service (DDoS) attack wasn’t the result of thousands of personal computers working together, the usual weapons of choice for these activitites. They were instead, armies of home security cameras and internet routers.

Garlati sees drones as potentially suffering from the same problem, as there are now thousands of devices out in the wild running insecure firmware. But instead of being used to attack cyberspace, they can be let loose on the physical world.

Sure, consumer drones are just toys – but en masse they could represent a different level of threat. “BB guns are toys,” Garlati says. “You don’t die if someone shoots at you with a BB gun. But now if they shoot at you with a thousand BB guns you’re going to be in big trouble.”

He suggests that a nightmare scenario might be something like an intentional version of what happened with the ‘Miracle on the Hudson’. In the 2009 incident, which was dramatised in the film ‘Sully’, an Airbus A320 leaving LaGuardia airport in New York City was struck by a flock of birds, which caused the engines to lose power. Captain Sullenberger avoided disaster by landing the aircraft on the Hudson River. What if, the implication is, a swarm of consumer drones could be deliberately piloted to cause the same sorts of collisions?

So how to actually take control of a drone? One technique is to fool the onboard navigation system. When the Iranian government took control of a US military drone in 2011, some engineers thought it was done by GPS spoofing. The signals from the orbiting network of satellites are comparatively weak and are easily masked by a local transmitter. US military experts discounted the possibility of GPS hacking alone being responsible for the capture. Since the invention of cruise missiles, military avionics designers have favoured inertial guidance systems with GPS used as a backup, because the internal accelerometers and gyroscopes are less vulnerable to electronic attack.

For a commercial hacker, GPS spoofing is likely to be overkill. Hackers can take direct control of many consumer drones with disturbing ease. The reason is simple: it’s because, like the devices attacked by Mirai, many have with pretty lax security. Many consumer drones use Wi-Fi to communicate with the pilot’s controls. Often they use easily cracked protocols such as WEP, or in some cases, no encryption at all.

No encryption might sound crazy, but this is something even military and law-​enforcement agencies have neglected. Last year IBM security consultant Nils Rodday was able to demonstrate how a £27,000 drone used by police could be compromised with hardware costing just £30. It did this by targeting the on-board Xbee chip which is found in many drones, and intercepting packets of data sent by the Android app that controls it.

Security researcher Jonathan Andersson has already shown that dronejacking kits are feasible. He created a pocket-sized device he calls Icarus after the mythical ancient Greek figure who lost his wings by flying too close to the sun. This is essentially an all-in-one toolkit that will analyse the wireless signals looking for telltale data packets. Using this data it will figure out how to break in using a brute force hack and will then take control.

Samy Kamkar, though, perhaps takes the crown as the most ingenius drone hacker so far. He has built a similar device – using a Raspberry Pi mini-computer powered by a USB battery pack, and has attached it to a drone of his own. The Skyjack drone, as Kamkar has dubbed it, is capable of patrolling the skies sniffing out other drones and then hacking into them to take control.

Skyjack looks for drones that Wi-Fi identification numbers that correspond with those owned by Parrot, one of the largest manufacturers of drones. In common with other network protocols such as Ethernet, Wi-Fi devices send messages to each other using their media access control (MAC) address. These need to be unique, so manufacturers of network hardware are assigned blocks of addresses that they then put into their products. Hackers can easily identify the manufacturer by the first couple of characters in the address.

Kamkar’s drone can connect to multiple other UAVs simultaneously, and he can pilot them or he can just view the camera live by connecting through his own phone or tablet. It is easy to see how such technology could be used to summon a drone swarm for launching attacks of the type described by Garlati .

How can the industry deal with the problem? “It’s not a simple question”, says Intel Security CTO Raj Samani, owing to the different forces that influence drone production. For the smallest, cheapest drones, where consumers are presumably likely to be most price-conscious, he wonders whether they are going to consider security if it adds to the bottom line.

Samani does, however, suggest some things that could be done: having an approved and agreed communications standard, encrypting the signal and using stronger authentication. The last point is especially important. The drone software should verify the source of the commands it is receiving and reject those coming from unapproved transmitters. Drone software could also build in measures to automatically detect common attacks such as replay attacks, which use the same principles as a DDoS attack to bombard the target device with commands in order to disrupt or gain entry.

“These are simple principles that we’ve been doing for years in computing. I don’t see why having these devices flying over our heads should be any different,” Raj says.

One obvious question is that of regulation: is it time for the government to step in and set the rules? Garlati believes this could be a mixed blessing. “Be careful what you wish for,” he warns. “Their role is to establish rules, put stakes in the ground, so that the end result is that when a regulator comes in, innovation suffers.”

Garlati says regulators can be counter­productive to effective security. To explain, he gives the example of the US Federal Communications Commission (FCC) approach to Wi-Fi routers. Installing custom firmware on routers was becoming increasingly common, as it enabled users to use wireless channels that were forbidden in the US. The result was less congested airspace, and thus faster Wi-Fi at the cost of interference with users of other services in the adjacent channels. To counter this trend, the FCC effectively mandated that router firmware should be locked down, so that new software could not be installed. But this creates an obvious problem: no software is perfect, so removing the ability to install updates through official channels ends up leaving the locked down routers vulnerable to malware and attack.

With respect to drones, Garlati argues everyone should be responsible for ensuring they are secure – including industry, government and individuals. “The end user should refuse to buy a product that refuses to add some minimum security posture”, he says. “Food is not much different. You can buy any kind of junk food but at least you get a [nutritional] label on the box.”

Unfortunately though, to a certain extent this conversation may be happening too late. “This isn’t discussing the future, this is happening today,” Cesare warns.

Raj says similar. “We can replace drones with connected cars, slow cookers and ovens. All of these smart devices that are coming out… is anyone ever updating them?” he asks. “That’s a bigger challenge that we face. There just isn’t the incentive for people to go out and install firmware updates [on a system] that seems to be working.”

Without people paying more attention to how their drones could be taken over, they may become very unfriendly skies.

The world’s great and good of the information security industry descended on San Francisco this week for RSA Conference 2017. On the surface, it looked like more of the same this year. There weren’t a huge amount of new companies exhibiting this year and the traditional vendors all seemed to be consolidating and streamlining their product lines in attempt to demystify buyers. It even saw the McAfee brand back this year after a noticeable absence in the previous “Intel Security” era.

What was extremely apparent, however, was a return to the future. By this I mean the return of focus on securing the endpoint. From laptops, desktops and mobile phones, BYOD reared its head again under a different guise – Bring Your Own Anything. The reason for this is likely the shift to the cloud and away from traditional on-premises offerings, where RSA vendors have typically focused in the past. This trend has meant that as applications, services and virtual workloads move to the cloud and third parties, the corporate data centre is becoming less and less central to IT budgets. As such, we are now seeing a trend where established vendors are following suit and looking once again the endpoint as a source of revenue, albeit from a slightly different perspective this time.

This difference comes in the form of Internet of Things (IoT) – which, based on the amount of presentations at RSA this year, is clearly of major significance within the industry. Kaspersky jumped on the bandwagon and announced its platform for IoT and AT&T, IBM, Symantec and others announced an IoT Cybersecurity Alliance.

But is IoT just another buzzword? The scepticism comes from the fact that traditionally, RSA has been a datacenter/network security event. Granted, network perimeters are changing significantly with the advent of things like the cloud and IoT, but I’m still unconvinced that people can define IoT successfully in this context. It simply isn’t a problem that traditional network security is going to fix, as evidenced in prpl’s extensive research into how to secure the IoT. We know that security IoT has to start at the hardware level, and that traditional RSA conference vendors have little understanding of this space

It was encouraging to see a large presence by the not for profit Cloud Security Alliance that was poised to tackle the IoT issues and the crowd for the CSA seminar exceeded 1,400 – with queues out of the door for attendance. Its approach, which advocates open standards, is one which prpl aligns itself with and it is heartening to see everyone coming together in an organised manner to undertake the problems associated with IoT security.

Finally, the last significant observation for me at RSA was the emerging role of identity as it relates to securing corporate data. There was a lot of innovation happening around the idea of making passwords obsolete and start-up UnifyID even took the RSA Innovation Sandbox contest with its implicit authentication platform that combines machine learning and the array of devices around us to match our bodies, and more specifically the way we move, to our identities.

It’s innovations like these and the group mentality of coming together to face security issues head on that mean RSA will be successful for years to come. It just needs scratching away at the surface to get to the real innovation: end to end security cloud to silicon.

“Being an advocate of open source, prpl welcomes the ability for Metasploit to be used to test hardware, which is often neglected in pentesting typically limited to networks and network connectivity. Hardware is critical to journey to securing IoT devices.

“While the Metasploit update brings with it the potential for more vulnerabilities to be discovered, I think it must be used responsibly, with ethical hackers giving vendors enough time to address problems before they are disclosed to the wide world.”

“It will be a wake up call to device manufacturers to take the security of hardware in connected devices more seriously and in fact hardware is the key to making security more robust in connected devices. It also further confirms that security through obscurity just doesn’t work anymore and it’s time for a more proactive approach to securing embedded devices including using open source, security through separation with hardware virtualization and a root of trust established at the hardware level.

In 2016, the danger posed by the Internet of Things (IoT) became a reality. Add in factors such as the Mirai botnet and industrial control systems, and the problem becomes more than just Fitbits being connected to the network.

The problem was countered with the first industry guidance in November 2016, when both the Department of Homeland Security and NIST issued documents on IoT: with the DHS advising manufacturers, services providers, developers and business-level consumers; while NIST went for more detail for manufacturers/developers with guidance on how to engineer safer products.

DHS Secretary Jeh Johnson said that the “growing dependency on network-connected technologies is outpacing the means to secure them,” so securing IoT became a matter of homeland security.

One initiative aiming to make a difference to the issue of IoT is the Prpl Foundation, an open-source, community-driven, collaborative, non-profit foundation. Its chief security strategist, Cesare Garlati, was one of the many willing to make predictions for 2017 in this sector.

He said that attackers will continue to exploit the “always on” capabilities of smart devices, and the first line of defense to those devices: the home gateway. The second had much more devastating consequences, as Garlati said that either through direct tampering or remote control takeover of critical devices, he feared there will be loss of human life resulting from cases of hijacked IoT devices.

So what was the IoT in his view? He determined it as “embedded connected devices”, including connected cars, as it is embedded connected electronics and a rich connected system.

“If you add rich embedded functionality and a rich operating system and if you have an application with building blocks, once together online they can be used for attack. This is different from a traditional computing device; you have something traditional there and a user and manned device, these [IoT] are unmanned and no one knows where they are, and there are literally millions.”

Garlati added that traditional computing is connected and embedded and features the capability to offer encryption, while with an IoT device you buy it and switch it on, and it becomes an “ideal target in terms of attack”.

In its first Global Smart Home Security Report, Prpl Foundation found that adoption of smart devices per household was strongest in the continental European nations of France (5.8 devices), Italy (5) and Germany (4.5), with the UK (2.6) and US (2.4) around the same level as each other. Working out as an average of 3.4 devices in the home, Garlati said that it doesn’t matter what or how many devices you have – you can have 25 devices or one, the problem is the “damage you can do with it”.

“It is bad and I’ve been preaching for 18 months, but it would be nice for it to be more open and everyone needs to know that these toys can create serious problems.”

Ahead of the announcement of the NIST and DHS guidance, Garlati described the IoT sector as a ‘Wild West’, particularly in fixing the issues. Asked how it can be mended, he said that this needs to begin with end-users being aware of the dangers, but as an industry, understand the moral security of “millions of these things misbehaving”.

He made the point that devices come with hard coded passwords which cannot be changed, so unless the user patches the system, it does not get updated. “We asked people ‘when was the last time you updated your routers’ and 40% said they have never done so,” he explained.

“If the airbag is faulty, there is an entity which says that this is a danger for people as if the car doesn’t work it is not just you, but the damage you can do, so it is illegal to drive and sell the car and the vendor would be forced to fix the problem. Have you seen a recall of a router?”

He pointed to an issue where the FTC settled with ASUS about critical security flaws in its routers which put the home networks of hundreds of thousands of consumers at risk, so a proposed consent order required ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

Garlati concluded by arguing that you can stop a car on a highway when its lights are not working, but you cannot stop IoT when there is no legal framework. This led to his prediction that we will see human fatalities which have not happened yet, but will happen as devices are connected with physical objects – energy, power, cars. “How do you force 100,000s of people to update their camera? There is no legal framework for doing that,” he said.

Obviously this is a case that we as an industry want to avoid, but as the IoT spirals on with a focus on usability over security, this could be a worst scenario.

Quick look – This session will address four key elements that have introduced serious weaknesses into the IoT: proprietary systems, connectivity, unsigned firmware and lateral movement. Discussion will showcase a new approach to IoT security demonstrating how SoC virtualization and security through separation can address these vulnerabilities, which have already been shown to have potentially life-threatening consequences.

From hospitals dispensing life-saving drugs, to connected cars – embedded computing is transforming the way we live and work. But underlying weaknesses have introduced potentially life-threatening vulnerabilities into the Internet of Things.

In this interactive presentation prpl Foundation Chief Security Strategist, Cesare Garlati will explain where these weaknesses exist and why. This will be no death-by-PowerPoint. Instead, Garlati will showcase a Proof of Concept hardware design featuring state-of-the-art technology fresh out of the labs and about to be shipped in new commercial products. Through the live demo, attendees will see how SoC virtualization and security through separation can address serious flaws in IoT which have already been shown to have potentially life-threatening consequences.

He’ll discuss key examples which have already come to light, including

Valasek and Miller’s research which showed how a remote hacker could control the steering and brakes of a Jeep Cherokee 2014

The Ukrainian power outage of Christmas 2015 where hackers replaced firmware at sub-stations so staff couldn’t access systems

Hospira drug pumps, which were banned by the FDA after research found they could be remotely hacked.

Garlati will demonstrate how in all of these cases and more, four key elements exposed these systems to attack by third party hackers. He’ll explain that Proprietary systems are intrinsically insecure because ‘Security-by-obscurity’ no longer works. Firmware binary code can usually be reverse engineered. He’ll explain that their Connectivity, if improperly implemented allows IoT devices to be hacked. Garlati will detail how Firmware in embedded systems is often not signed and therefore exposed to malicious modifications. This means that an attacker could reverse engineer the code, modify it, reflash the firmware and reboot to execute arbitrary code. And he’ll explain how Lateral movement, which allow attackers to exploit critical components of a system by penetrating non-critical applications.

The prpl Foundation is trying to make the world safer by urging IoT stakeholders to read and absorb its guidance. This hands-on presentation will be essential for anyone with an interest in the future of IoT, embedded computing and hardware-level multitenancy . This includes major stakeholders in the supply chain who deal with security: from OEMs and SoC manufacturers; to producers of routers, biomedical devices and set-top-boxes; to CPE, home entertainment and automotive designers and developers

]]>http://bringyourownit.com/2016/11/08/rsa-conference-2016-a-new-hardware-based-approach-to-secure-the-internet-of-things/feed/2bringyourownitClick here to play the videoAutomotive security: pen-testing is no replacement for sound product developmenthttp://bringyourownit.com/2016/10/20/automotive-security-pen-testing-is-no-replacement-for-sound-product-development/
http://bringyourownit.com/2016/10/20/automotive-security-pen-testing-is-no-replacement-for-sound-product-development/#respondFri, 21 Oct 2016 00:45:23 +0000http://bringyourownit.com/?p=1808Reposting from Automotive Testing Technology International

When it comes to testing the components of modern connected cars, of course pen-testing (penetration testing) has its place; however, it is no substitute for solid product development.

In testing, companies often operate under the notion that an identified problem can be fixed or patched. This may be true for some areas of testing, but for security, it is not sufficient. Security needs to be built-in, from the ground up. And that means starting at the hardware layer, which is seldom done today, but which is completely viable given the advancements in silicon and other connected vehicle technologies.

In fact, the prpl Foundation has produced a guide on how to secure critical areas of embedded computing that advocates the use of open, interoperable protocols and APIs, exercising security by separation, through implementing hardware virtualization and anchoring a root of trust in silicon.

Looking back at all of the recent public cases of researchers hacking connected cars, they all share the exploitation of proprietary code. This idea that closed, proprietary systems can work within Internet of Things and connected devices is a myth. In contrast, an open security framework means it has constantly been tested and had many eyes cast over it to ensure its strength.

The second thing they all have in common is that once hackers were able to reverse engineer vendor-specific code to gain access to one area of the system, they proceeded to move around laterally to other networked components. This idea that once an actor can gain access to a non-critical component in a vehicle, such as the entertainment system, and then work their way into a critical area, such as the steering, is scary to think about. But without using the time tested method of security by separation, it is a reality. This separation can be achieved by using hardware virtualization so that although independently they might not be more secure, as a system, one bad apple doesn’t compromise the whole system.

Finally, all of these security controls need to be tied to a root of trust in silicon; this can be a by-product of the hypervisor used in creating hardware virtualization or by some other method. One neat area being explored by prpl at the moment is physical unclonable function (PUF) technology that can extract a unique identifier from the silicon itself, much like a fingerprint, to provide authentication and establish a root of trust.

In summary, pen-testing is important, but it is no replacement for sound product development. Security can only be forged from the ground up in the silicon of connected components themselves. It cannot be added as an afterthought as we have seen time and time again. Testing alone does not make a product secure. From a risk management perspective, testing lowers the risk but doesn’t completely remove it. After all, upon successful testing one can say, “I couldn’t find anything wrong,” which is not the same as saying, “There is nothing wrong.”

]]>http://bringyourownit.com/2016/10/20/automotive-security-pen-testing-is-no-replacement-for-sound-product-development/feed/0bringyourownitautomotive-testingprpl Foundation Unveils the First Open Source Hypervisor for the Internet of Thingshttp://bringyourownit.com/2016/07/11/prpl-foundation-unveils-the-first-open-source-hypervisor-for-the-internet-of-things/
http://bringyourownit.com/2016/07/11/prpl-foundation-unveils-the-first-open-source-hypervisor-for-the-internet-of-things/#respondTue, 12 Jul 2016 03:55:18 +0000http://bringyourownit.com/?p=1782Debut of the prplHypervisor to Occur at the IoT Evolution Expo in Las Vegas

SANTA CLARA, CA–(Marketwired – Jul 11, 2016) – The prpl Foundation today announced the upcoming debut of the prplHypervisor at the IoT Evolution Expo in Las Vegas. The prplHypervisor is an industry-first light-weight open source hypervisor specifically designed to provide security through separation for the billions of embedded connected devices that power the Internet of Things.

A principle set out in the Security Guidance for Embedded Computing published by prpl in early 2016, security through separation is key to fixing the fatal security flaws plaguing the IoT. “From theft of personal information and financial data to remote takeover of devices which could bring harm to the public, it’s in the interest of every stakeholder in the connected device supply chain to ensure that these devices are designed first for security,” said Art Swift, president, prpl Foundation.

The prplHypervisor leverages the power of hardware virtualization to create multiple distinct secure domains. Bare metal applications and rich operating systems can operate independently and securely within these domains; the prplHypervisor eliminates the possibility of lateral movement within the system while allowing secure high-speed inter-VM communications.

Cesare Garlati, chief security strategist at prpl Foundation, will demonstrate the prplHypervisor on Thursday July 14th at 9AM, as part of a prplSecurity workshop on the IoT Developer track. The demo is a joint development effort of three key prpl members: Intrinsic-ID, Altran and the Pontifical Catholic University of Rio Grande do Sul (PUCRS). Garlati will show three virtual machines connecting to the Internet and securely controlling a robotic arm. The first VM receives commands from the Internet via Altran’s picoTCP stack, the second VM authenticates the request via Intrinsic-ID’s implementation of the prplPUF API, and the third VM controls the robotic arm via USB. The three VMs are completely separated and communicate within the system via prplSecureInterVM APIs.

For those interested in learning more about prpl’s open-source, hardware-led approach to IoT security during IoT Evolution Expo, prpl Foundation president, Art Swift, is moderating a panel debate between representatives of leading IoT companies. The panel will discuss where IoT security weaknesses lie, and what must be done to mitigate them. Panelists include Dr. Pim Tuyls, CEO of Intrinsic-ID, Phil Attfield, CTO of Sequitur Labs, and Lubna Dajani, futurist and chief strategy officer of Intercede. The panel debate begins at 11:20AM on July 14th.

About prpl:prpl (pronounced “Purple”), is an open-source, community-driven, collaborative, non-profit foundation targeting and supporting the MIPS architecture — and open to others — with a focus on enabling next-generation datacenter-to-device portable software and virtualized architectures. prpl represents leaders in the technology industry investing in innovation in efficiency, portability and compatibility for the good of a broad community of developers, businesses and consumers. Initial domains targeted by prpl include datacenter, networking and storage, connected consumer and embedded/IoT.